You are not logged in.
- Topics: Active | Unanswered
#1 2023-07-16 18:47:06
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
SOLVED PAM Mandatory Multi factor login issue
I want to set up PAM so it requires both fingerprint and the password to login, here is my current configuration:
auth requisite pam_fprintd.so
auth requisite pam_unix.so nullok
However, it is not working as I'm expecting:
I'm able to unlock with the correct password only.
If I used fingerprint to auth, I will be prompted with a password prompt after login, which I can simply click Cancel to bypass
Last edited by winslowsem (2023-07-17 13:57:45)
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#2 2023-07-16 20:15:49
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,378
Re: SOLVED PAM Mandatory Multi factor login issue
here is my current configuration:
auth requisite pam_fprintd.so auth requisite pam_unix.so nullok
That is your /etc/pam.d/system-auth ???
On a formal note, please use [code][/code] tags. Edit your post in this regard.
Offline
#3 2023-07-17 03:00:00
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
I'm sorry, I've only posted the related lines, here is my full configuration:
system-auth
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth [success=3 default=ignore] pam_systemd_home.so
auth required pam_fprintd.so
auth required pam_unix.so nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow sha512
password optional pam_permit.so
-session optional pam_systemd_home.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.soFor system-login and system-local-login, they are untouched(pam-selinux's default) and both included / inherently included system-auth
Last edited by winslowsem (2023-07-17 03:02:25)
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#4 2023-07-17 06:34:42
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
idk how but after messing up with PAM for a while this is working for me
auth required pam_faillock.so preauth
-auth [success=2 default=ignore] pam_systemd_home.so
auth [default=die] pam_faillock.so authfail
auth [success=1 default=ignore] pam_unix.so try_first_pass
auth required pam_fprintd.so
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsuccI use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#5 2023-07-17 06:45:57
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,378
Re: SOLVED PAM Mandatory Multi factor login issue
"requisite" turned into "required" (again)?
Should™ not matter, though.
Try to comment all pam_systemd_home.so lines in all PAM configurations (I guess you're not using that anyway?)
PSA (though you probably figured that by now): you want to keep an open root shell while messing around w/ PAM. Just in case 
Also PSA: fix the tabs. You don't want to lose track of what's in those lines (but it's not a problem here)
Edit: F5**
That config skips fprintd when pam_unix is successful?
Last edited by seth (2023-07-17 06:47:42)
Offline
#6 2023-07-17 06:52:11
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
I'm actually using systemd-homed lol
I've fixed it with the configuration
#%PAM-1.0
auth required pam_faillock.so preauth
-auth [success=2 default=ignore] pam_systemd_home.so
auth [default=die] pam_faillock.so authfail
auth [success=1 default=ignore] pam_unix.so try_first_pass
auth required pam_fprintd.so
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow sha512
password optional pam_permit.so
-session optional pam_systemd_home.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.soThere is a minor problem, you will be prompt for password again after successfully entered DE
Tbh I have no idea why this config is working, but I've tested different situations and it is performing as I wished (Enforcing two factor for all authes), so guess I'm going to leave it as it is
It is truly a pain in the butt to mess with PAM cuz everytime you f it up you'll need to reboot into livecd to fix it, and I have luks on
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#7 2023-07-17 06:53:12
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
"requisite" turned into "required" (again)?
Should™ not matter, though.
Try to comment all pam_systemd_home.so lines in all PAM configurations (I guess you're not using that anyway?)PSA (though you probably figured that by now): you want to keep an open root shell while messing around w/ PAM. Just in case
Also PSA: fix the tabs. You don't want to lose track of what's in those lines (but it's not a problem here)Edit: F5**
That config skips fprintd when pam_unix is successful?
Yeah that's the weird part, it should have skipped fprintd, but instead of skipping it it enforce it
Could be a bug? I'm not that sure since it could be the installation of fprintd creating some additional configs on PAM/GDM
❯ sudo echo test
[sudo] pasvorto por winslow:
Place your finger on the fingerprint reader
Verification timed out
Malĝuste, reprovu.
Place your finger on the fingerprint readerI've tested it that it could not be bypassed when you don't input anything
Last edited by winslowsem (2023-07-17 06:59:02)
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#8 2023-07-17 06:58:23
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,378
Re: SOLVED PAM Mandatory Multi factor login issue
I'm actually using systemd-homed lol
In your original config the
-auth [success=3 default=ignore] pam_systemd_home.so skips the next three modules if it succeeds.
In your second and third the next two modules, jumping right to pam_fprintd.so
I'm betting your right arm that pam_systemd_homed gets in the way/is the only thing that actually authorizes you.
Return to your initial approach and remove the success=3 from the homed line.
KEEP A ROOTSHELL OPEN!
Offline
#9 2023-07-17 07:01:06
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
I'm actually using systemd-homed lol
In your original config the
-auth [success=3 default=ignore] pam_systemd_home.soskips the next three modules if it succeeds.
In your second and third the next two modules, jumping right to pam_fprintd.soI'm betting your right arm that pam_systemd_homed gets in the way/is the only thing that actually authorizes you.
Return to your initial approach and remove the success=3 from the homed line.KEEP A ROOTSHELL OPEN!
I tried to keep a rootshell but I have too many security restrictions like SELinux which is preventing me from doing so, so I just gave up and reboot into a livecd everytime
Will try this now, thank you
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#10 2023-07-17 07:06:49
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
I'm actually using systemd-homed lol
In your original config the
-auth [success=3 default=ignore] pam_systemd_home.soskips the next three modules if it succeeds.
In your second and third the next two modules, jumping right to pam_fprintd.soI'm betting your right arm that pam_systemd_homed gets in the way/is the only thing that actually authorizes you.
Return to your initial approach and remove the success=3 from the homed line.KEEP A ROOTSHELL OPEN!
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth [default=ignore] pam_systemd_home.so
auth required pam_unix.so nullok try_first_pass
auth [success=1] pam_fprintd.so
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsuccYep this is also working, and this config makes much more sense to me
The additional password prompt is still showing, however I would not mind one more layer of security lol
I also noticed a strange phenomenon that you can click enter to make the system asking you for only the fingerprint, however the password is still being enforced that you will get an error prompt when you bypassed password by this method and is authenticating with your fingerprint
Thanks for your help!
Last edited by winslowsem (2023-07-17 07:11:15)
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#11 2023-07-17 07:11:34
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,378
Re: SOLVED PAM Mandatory Multi factor login issue
You could try "success=1" to skip only pam_unix if systemd_home is succesful
Offline
#12 2023-07-17 07:15:09
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
You could try "success=1" to skip only pam_unix if systemd_home is succesful
I just found another weird phenomenon with the new setup
At the GDM login page you can auth with your fingerprint only, the system will unlock, however, in a strange status. You will be prompted with a password prompt which you can simply click Cancel, if you chose to cancel it you will still have access to all of your files except some softwares will malfunction because of permission problem
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#13 2023-07-17 07:23:18
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
seth wrote:You could try "success=1" to skip only pam_unix if systemd_home is succesful
I just found another weird phenomenon with the new setup
At the GDM login page you can auth with your fingerprint only, the system will unlock, however, in a strange status. You will be prompted with a password prompt which you can simply click Cancel, if you chose to cancel it you will still have access to all of your files except some softwares will malfunction because of permission problem
nvm my old setup has exactly the same problem
the only difference between adding or not adding success=1 to pam_unix is that will you need to auth your fingerprint at the additional prompt
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#14 2023-07-17 07:32:59
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,378
Re: SOLVED PAM Mandatory Multi factor login issue
Not to pam_unix, to pam_systemd_homed - if that succeeds (and I suspect it asks for your password) you then skip pam_unix right to the fingerprint.
Offline
#15 2023-07-17 09:09:50
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
Not to pam_unix, to pam_systemd_homed - if that succeeds (and I suspect it asks for your password) you then skip pam_unix right to the fingerprint.
Yeah it should also be a problem with systemd-homed, I realized that with this current configuration, GDM will correctly require both the factors to be authed, but will only required fingerprint for unlocking after a successful login, presumably the home directory for user is already mounted?
Lock screen has the same situation
auth required pam_faillock.so preauth
-auth [success=3 default=die] pam_systemd_home.so
auth [default=die] pam_faillock.so
auth [success=1 default=die] pam_unix.so try_first_pass
auth [default=die] pam_faillock.so
auth [success=1 default=die] pam_fprintd.so
auth [default=die] pam_faillock.so
auth required pam_faillock.so
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsuccLast edited by winslowsem (2023-07-17 09:35:51)
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#16 2023-07-17 10:26:54
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
seth wrote:Not to pam_unix, to pam_systemd_homed - if that succeeds (and I suspect it asks for your password) you then skip pam_unix right to the fingerprint.
Yeah it should also be a problem with systemd-homed, I realized that with this current configuration, GDM will correctly require both the factors to be authed, but will only required fingerprint for unlocking after a successful login, presumably the home directory for user is already mounted?
Lock screen has the same situationauth required pam_faillock.so preauth -auth [success=3 default=die] pam_systemd_home.so auth [default=die] pam_faillock.so auth [success=1 default=die] pam_unix.so try_first_pass auth [default=die] pam_faillock.so auth [success=1 default=die] pam_fprintd.so auth [default=die] pam_faillock.so auth required pam_faillock.so auth optional pam_permit.so auth required pam_env.so auth required pam_faillock.so authsucc
I just realized that this is more likely to be a problem with GDM, as it works for the initial login but malfunction for unlocking afterward
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#17 2023-07-17 13:06:26
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,378
Re: SOLVED PAM Mandatory Multi factor login issue
Stop flailing around w/ the PAM, there's no need to inject the gazillon "[default=die] pam_faillock.so" lines.
The on in #10 should™ be mostly ok, but you can "success=1" pam_systemd_home.so to skip pam_unix, that's it.
pam_systemd_home.so will most likely only do somthing on login, but not when authentication against a screenlocker
pam_unix.so will then because of try_first_pass use the password from pam_systemd_home.so and you only have to stick your fin… provide the dactyloscopy.
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth [success=1 default=ignore] pam_systemd_home.so
auth required pam_unix.so nullok
auth [success=1] pam_fprintd.so
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsuccOffline
#18 2023-07-17 13:58:09
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
Stop flailing around w/ the PAM, there's no need to inject the gazillon "[default=die] pam_faillock.so" lines.
The on in #10 should™ be mostly ok, but you can "success=1" pam_systemd_home.so to skip pam_unix, that's it.pam_systemd_home.so will most likely only do somthing on login, but not when authentication against a screenlocker
pam_unix.so will then because of try_first_pass use the password from pam_systemd_home.so and you only have to stick your fin… provide the dactyloscopy.auth required pam_faillock.so preauth # Optionally use requisite above if you do not want to prompt for the password # on locked accounts. -auth [success=1 default=ignore] pam_systemd_home.so auth required pam_unix.so nullok auth [success=1] pam_fprintd.so auth [default=die] pam_faillock.so authfail auth optional pam_permit.so auth required pam_env.so auth required pam_faillock.so authsucc
Works like a charm, thank you
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#19 2023-07-20 16:40:52
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
Stop flailing around w/ the PAM, there's no need to inject the gazillon "[default=die] pam_faillock.so" lines.
The on in #10 should™ be mostly ok, but you can "success=1" pam_systemd_home.so to skip pam_unix, that's it.pam_systemd_home.so will most likely only do somthing on login, but not when authentication against a screenlocker
pam_unix.so will then because of try_first_pass use the password from pam_systemd_home.so and you only have to stick your fin… provide the dactyloscopy.auth required pam_faillock.so preauth # Optionally use requisite above if you do not want to prompt for the password # on locked accounts. -auth [success=1 default=ignore] pam_systemd_home.so auth required pam_unix.so nullok auth [success=1] pam_fprintd.so auth [default=die] pam_faillock.so authfail auth optional pam_permit.so auth required pam_env.so auth required pam_faillock.so authsucc
well... unlocking with the fingerprint only after the first login is still doable, I guess GNOME isn't really designed to work with multi factor auth
Remoing the success=1 from systemd_home doesn't cut it
I might need to develop something requiring user to perform a mandatory sudo-auth after login, this is the only workaround I can think of
Last edited by winslowsem (2023-07-20 16:41:43)
I use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline
#20 2023-07-20 19:41:06
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,378
Re: SOLVED PAM Mandatory Multi factor login issue
At least GDM comes w/ a bunch of its on pam configs (one of them actually fprint related), have you looked into those?
Offline
#21 2023-07-21 03:16:24
- winslowsem
- Member
- Registered: 2023-07-07
- Posts: 26
Re: SOLVED PAM Mandatory Multi factor login issue
At least GDM comes w/ a bunch of its on pam configs (one of them actually fprint related), have you looked into those?
that is brilliant
I noticed the /etc/pam.d/gdm-fingerprint earlier, but as it already included system-local-login I didn't mess with it, but I just realized it is solely responsible for handling unlocking when you have fingerprint enrolled and it does not include system-local-login for the auth part
So simply adding those modifications on system-auth to it seems to do the trick
Here is my newest config for gdm-fingerprin
#%PAM-1.0
auth required pam_shells.so
auth requisite pam_nologin.so
auth requisite pam_faillock.so preauth
-auth [default=ignore] pam_systemd_home.so
auth required pam_unix.so nullok
auth [success=1] pam_fprintd.so
auth [default=die] pam_faillock.so authfail silent deny=32 unlock_time=300
auth optional pam_permit.so
auth required pam_env.so
auth [success=ok default=1] pam_gdm.so
auth optional pam_gnome_keyring.so
account include system-local-login
password required pam_deny.so
session include system-local-login
session optional pam_gnome_keyring.so auto_startI use Arch on LVM on LUKS with SELinux and Secure Boot btw
Offline